I don’t know whether either is demonstrably any better, though. There are other established anti-malware products with known reputations, such as Malwarebytes, which are alternatives. How much it adds to that I don’t know: that’s a question which you might put to them.Įvaluating the efficacy of any anti-malware product is not easy, and I don’t know of anywhere which has performed such an evaluation of this product. It’s cross-platform, and some years ago someone offered a friendly packaged version with a GUI front end for macOS, called ClamXAV, which I used from time to time.Īs far as I can tell from that website, ClamXAV, which is developed by a legitimate Scottish company with identified developers and staff, is a successor to that, which uses the ClamAV engine. ![]() ![]() No, I don’t think that ClamXAV is a scam at all.ĬlamAV is a well-known and widely-used open source anti-malware tool which is in active development and very well-supported. However, its default flags (which should validate the ‘native’ architecture which will run when you run the code) fail in this case, resulting in this incorrect behaviour. He also reports that SecStaticCodeCheckValidity() does work if you tell it to perform strict verification, or to verify all the architectures in the file. Patrick Wardle points out that this bug was first discovered and reported by Josh Pitts. If you rely on any other malware checking tools, such as an anti-virus product, you may want to install the updated What’s My Sign? (version 1.4.1) and perform manual checks until that product has been updated to address this problem.Īnti-virus and security product vendors should already be busy preparing updates to all their apps. Patrick has found a workaround, and has already updated Objective-See’s invaluable signature-checking tool What’s My Sign?, which shouldn’t now succumb to this spoofing. Malware which exploits this vulnerability could therefore pass this stage of their checks. However, the flawed function is used by most, perhaps all, other anti-malware tools. MacOS Gatekeeper doesn’t appear to be affected by this, so it should still return reliable results. ![]() It is possible for a malware author to trick this function into returning a successful result, claiming that there is a valid certificate from Apple, although there is nothing of the kind. The call succeeds if all these conditions are satisfactory. It validates the code against a code requirement if one is specified. It checks the validity of all sealed components, including resources (if any). This function obtains and verifies the signature on the code specified by the code object. ![]() Apple’s description of this function reads: The problem lies buried in a macOS Global Function, SecStaticCodeCheckValidity(), which is used by almost all signature-checking tools and apps (including Apple’s command line tools) to validate the signature of a file. Details of a bug revealed in Twitter today by Patrick Wardle, of Securita Security and Objective-See, demonstrate that most anti-malware tools can easily be spoofed into accepting completely fictitious certificates. One of the basic checks which all malware protection should make is whether apps and other code have been correctly signed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |